Back to skill

Security audit

Business English Coach

Security checks across malware telemetry and agentic risk

Overview

This is a text-only workplace English coaching skill with broad routing language but no hidden code, data access, credentials, or destructive behavior.

Safe to install for workplace English coaching. Users should avoid pasting confidential company, client, legal, HR, or security-sensitive text unless their organization permits sharing that content with the AI tool, and maintainers could narrow the trigger language to avoid accidental use for non-language workplace advice.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
89% confidence
Finding
The skill description says it should trigger for essentially any work-related English improvement request, which is broad enough to capture many generic workplace prompts that may be better handled by other, more specific skills. In an agent system, overly broad routing can cause unintended invocation, leading to misclassification of user intent, reduced reliability, and possible exposure of sensitive workplace text to an unnecessary skill context.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The invocation guidance repeats broad examples and lacks negative examples or scope limits, so an orchestrator or human operator may invoke the skill for loosely related workplace requests. In this context, the risk is not code execution but poor skill routing, unnecessary handling of sensitive business communications, and confusion between language coaching and substantive professional advice.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The trigger description is very broad and includes generic workplace-English improvement requests, which can cause the skill to activate in situations where a more appropriate or user-selected skill should handle the request. This creates routing ambiguity and increases the chance of unintended data exposure to the wrong skill, especially when users paste sensitive workplace content such as emails, PR comments, or manager communications.

Natural-Language Policy Violations

Medium
Confidence
76% confidence
Finding
The skill is explicitly targeted at Vietnamese tech professionals and instructs the system to use the learner's support language, but it does not define a clear opt-in, locale gate, or user-preference check. This can lead to inappropriate personalization or language-based targeting, where users are steered into a demographic-specific experience without having requested it.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.